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Mr.  Chairman  and  Members  of  the  Committee: 


I  am  pleased  to  be  here  to  discuss  S.  1993,  the  Government  I  nformation 
Security  Act  of  1999,  which  seeks  to  strengthen  information  security 
practices  throughout  the  federal  government.  Such  efforts  are  necessary 
and  critical.  Our  work  has  shown  that  almost  all  government  agencies  are 
plagued  by  poor  computer  security.  Recent  events  such  as  the  denial  of 
service  attacks  last  month  indicate  the  damage  that  can  occur  when  an 
organization's  computer  security  defenses  are  breached.  However,  Mr. 
Chairman,  let  me  emphasize  that  the  potential  for  more  serious  disruption 
is  significant.  As  I  stated  in  recent  testimony,  our  nation's  computer-based 
infrastructures  are  at  increasing  risk  of  severe  disruption.  The  dramatic 
increase  of  computer  interconnectivity,  while  beneficial  in  many  ways,  has 
provided  pathways  among  systems  that,  if  not  properly  secured,  can  be 
used  to  gain  unauthorized  access  to  data  and  operations  from  remote 
locations.  Government  officials  are  increasingly  worried  about  attacks 
from  individuals  and  groups  with  malicious  intentions,  such  as  terrorists 
and  nations  engaging  in  information  warfare.^ 

S.  1993  provides  opportunities  to  address  this  problem.  It  updates  the  legal 
framework  that  supports  federal  information  security  requirements  and 
addresses  widespread  federal  information  security  weaknesses.  In 
particular,  the  bill  provides  for  a  risk-based  approach  to  information 
security  and  independent  annual  audits  of  security  controls.  Moreover,  it 
approaches  security  from  a  governmentwide  perspective,  taking  steps  to 
accommodate  the  significantly  varying  information  security  needs  of  both 
national  security  and  civilian  agency  operations. 

Mr.  Chairman,  I  would  like  to  discuss  how  these  proposals  can  lead  to 
substantial  improvements  in  federal  agency  performance  in  addressing 
computer  security  issues.  In  addition,  I  would  like  to  raise  two  additional 
concerns— the  need  for  better-defined  control  standards  and  centralized 
leadership— that,  if  addressed,  could  further  strengthen  security  practices 
and  oversight.  These  two  concerns  merit  further  attention  as  the 
Committee  moves  ahead  with  its  work  in  this  area. 


^Critical  Infrastructure  Protection:  Comments  on  the  National  Plan  for  Information  Systems  Protection 
(GAO/T-AIMD-00-72,  February  1,  2000). 


Page  1 


GAO/T-AI MD-00-107 


Information  Security 
Improvements  Are 
Urgently  Needed 


Improvements  in  agency  information  security  practices  are  sorely  needed. 
Our  October  1999  analysis  of  our  own  and  inspector  general  audits  found 
that  22  of  the  largest  federal  agencies  were  not  adequately  protecting 
critical  federal  operations  and  assets  from  computer-based  attacks.^ 
Highlighting  attention  to  this  problem  over  the  past  12  months  was  the 
disruption  of  operations  at  some  government  agencies  caused  by  the 
Melissa  computer  virus  as  well  as  a  series  of  federal  web  site  break-ins.  As 
in  past  analyses,  we  concluded  that  addressing  this  widespread  and 
persistent  problem  would  require  significant  management  attention  and 
action  within  individual  agencies  as  well  as  increased  coordination  and 
oversight  at  the  governmentwide  level. 

Our  most  recent  individual  agency  review  of  the  Environmental  Protection 
Agency  (EPA),  corroborated  our  governmentwide  analysis.^  Overall,  we 
found  that  E  PA's  computer  systems  and  the  operations  that  rely  on  these 
systems  were  highly  vulnerable  to  tampering,  disruption,  and  misuse. 
EPA's  own  records  identified  several  serious  computer  incidents  in  the 
last  2  years  that  resulted  in  damage  and  disruption  to  agency  operations. 
Moreover,  our  tests  of  computer-based  controls  concluded  that  computer 
operating  systems  and  the  agencywide  computer  network  that  support 
most  of  EPA's  mission-related  and  financial  operations  were  riddled  with 
security  weaknesses.  EPA  is  currently  taking  significant  steps  to  address 
these  weaknesses.  However,  resolving  EPA's  information  security 
problems  will  require  substantial  ongoing  management  attention  since 
security  program  planning  and  management  to  date  have  largely  been  a 
paper  exercise  doing  little  to  substantively  identify,  evaluate,  and  mitigate 
risks  to  the  agency's  data  and  systems.  Any  fixes  made  by  E  PA  to  address 
specific  control  weaknesses  will  be  temporary  until  these  underlying 
management  issues  are  addressed. 

E  PA  is  not  unique.  Within  the  past  12  months  we  have  identified 
significant  management  weaknesses  and  control  deficiencies  at  a  number 
of  agencies  that  effectively  undermine  the  integrity  of  their  computer 
security  operations. 

In  August  1999,  we  reported^  that  pervasive  weaknesses  in  Department  of 
Defense  information  security  continue  to  provide  both  hackers  and 


y 

Critical  Infrastructure  Protection:  Comprehensive  Strategy  Can  Draw  on  Year  2000  Experiences 
(GAO/AIMD-00-1,  October  1,  1999). 


^Information  Security:  Fundamental  Weaknesses  Place  EPA  Data  and  Operations  at  Risk  (GAO/ 
T-AIMD-00-97,  February  17,  2000). 


^DOD  Information  Security:  Serious  Weaknesses  Continue  to  Place  Defense  Operations  at  Risk  (GAO/ 
AIMD-99-107,  August  26,  1999). 
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hundreds  of  thousands  of  authorized  users  the  opportunity  to  modify, 
steal,  inappropriately  disclose,  and  destroy  sensitive  DOD  data.  Among 
other  things,  these  weaknesses  impaired  DOD's  ability  to  control  physical 
and  electronic  access  to  its  systems  and  data;  ensure  that  software  running 
on  its  systems  is  properly  authorized,  tested,  and  functioning  as  intended; 
and  resume  operations  in  the  event  of  a  disaster. 

•  In  May  1999,  we  reported^  that,  as  part  of  our  tests  of  the  National 
Aeronautics  and  Space  Administration's  (NASA)  computer-based  controls, 
we  successfully  penetrated  several  mission-critical  systems,  including  one 
responsible  for  calculating  detailed  positioning  data  for  each  orbiting 
spacecraft  and  another  that  processes  and  distributes  the  scientific  data 
received  from  these  spacecraft.  Having  obtained  access,  we  could  have 
disrupted  ongoing  command  and  control  operations  and  modified  or 
destroyed  system  software  and  data. 

•  In  August  1999,  an  independent  accounting  firm  reported®  that  the 
Department  of  State's  mainframe  computers  for  domestic  operations  were 
vulnerable  to  unauthorized  access.  Consequently,  other  systems,  which 
process  data  using  these  computers,  could  also  be  vulnerable.  A  year 
earlier,  in  May  1998,  we  reported’  that  our  tests  at  State  demonstrated  that 
its  computer  systems  and  the  information  they  maintained  were  very 
susceptible  to  hackers,  terrorists,  or  other  unauthorized  individuals 
seeking  to  damage  State  operations  or  reap  financial  gain  by  exploiting  the 
department's  information  security  weaknesses. 

•  I  n  October  1999,  we  reported*^  that  serious  weaknesses  placed  sensitive 
information  belonging  to  the  Department  of  Veterans  Affairs  (VA)  at  risk 
of  inadvertent  or  deliberate  misuse,  fraudulent  use,  improper  disclosure, 
or  destruction,  possibly  occurring  without  detection.  Such  findings  were 
particularly  troublesome  since  VA  collects  and  maintains  sensitive  medical 
record  and  benefit  payment  information  for  veterans  and  family  members 
and  is  responsible  for  tens  of  billions  of  dollars  of  benefit  payments 
annually. 


^Information  Security:  Many  NASA  Mission-Critical  Systems  Face  Serious  Risks  (GAO/AIMD-99-47,  May  20, 
1999). 

^ Audit  of  the  Department  of  State’s  1997  and  1998  Principal  Financial  Statements,  Leonard  G.  Bimbaum  and 
Company,  LLP,  August  9,  1999. 

Computer  Security:  Pervasive  Serious  Weaknesses  Jeopardize  State  Department  Operations  (GAO/ 
AIMD-98-145,May  18,  1998). 

O 

Information  Systems:  The  Status  of  Computer  Security  at  the  Department  of  Veterans  Affairs  (GAO/ 
AIMD-00-05,  October  4,  1999). 
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Although  the  nature  of  operations  and  related  risks  at  these  and  other 
agencies  vary,  there  are  striking  similarities  in  the  specific  types  of 
weaknesses  reported.  The  following  six  areas  of  management  and  general 
control  weaknesses  are  repeatedly  highlighted  in  our  reviews. 

•  E ntitywide  Security  Program  Planning  and  Management.  E  ach 

organization  needs  a  set  of  management  procedures  and  an  organizational 
framework  for  identifying  and  assessing  risks,  deciding  what  policies  and 
controls  are  needed,  periodically  evaluating  the  effectiveness  of  these 
policies  and  controls,  and  acting  to  address  any  identified  weaknesses. 
These  are  the  fundamental  activities  that  allow  an  organization  to  manage 
its  information  security  risks  cost  effectively,  rather  than  reacting  to 
individual  problems  ad  hoc  only  after  a  violation  has  been  detected  or  an 
audit  finding  has  been  reported.  Despite  the  importance  of  this  aspect  of 
an  information  security  program,  we  continue  to  find  that  poor  security 
planning  and  management  is  the  rule  rather  than  the  exception.  Most 
agencies  do  not  develop  security  plans  for  major  systems  based  on  risk, 
have  not  formally  documented  security  policies,  and  have  not 
implemented  programs  for  testing  and  evaluating  the  effectiveness  of  the 
controls  they  rely  on. 

•  Access  Controls.  Access  controls  limit  or  detect  inappropriate  access  to 
computer  resources  (data,  equipment,  and  facilities)  thereby  protecting 
these  resources  against  unauthorized  modification,  loss,  and  disclosure. 
They  include  physical  protections,  such  as  gates  and  guards,  as  well  as 
logical  controls,  which  are  controls  built  into  software  that  (1)  require 
users  to  authenticate  themselves  through  passwords  or  other  identifiers 
and  (2)  limit  the  files  and  other  resources  that  an  authenticated  user  can 
access  and  the  actions  that  he  or  she  can  execute.  I  n  many  of  our  reviews 
we  have  found  that  managers  do  not  identify  or  document  access  needs 
for  individual  users  or  groups,  and,  as  a  result,  they  provide  overly  broad 
access  privileges  to  very  large  groups  of  users.  Additionally,  we  often  find 
that  users  share  accounts  and  passwords  or  post  passwords  in  plain  view, 
making  it  impossible  to  trace  specific  transactions  or  modifications  to  an 
individual.  Unfortunately,  as  a  result  of  these  and  other  access  control 
weaknesses,  auditors  conducting  penetration  tests  of  agency  systems  are 
almost  always  successful  in  gaining  unauthorized  access  that  would  allow 
intruders  to  read,  modify,  or  delete  data  for  whatever  purposes  they  had  in 
mind. 

•  Application  Software  Development  and  Change  Controls. 

Application  software  development  and  change  controls  prevent 
unauthorized  software  programs  or  modifications  to  programs  from  being 
implemented.  Without  them,  individuals  can  surreptitiously  modify 
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software  programs  to  include  processing  steps  or  features  that  could  later 
be  exploited  for  personal  gain  or  sabotage.  In  many  of  our  audits,  we  find 
that(l)  testing  procedures  are  undisciplined  and  do  not  ensure  that 
implemented  software  operates  as  intended,  (2)  implementation 
procedures  do  not  ensure  that  only  authorized  software  is  used,  and 
(3)  access  to  software  program  libraries  is  inadequately  controlled. 

•  Segregation  of  Duties.  Segregation  of  duties  refers  to  the  policies, 
procedures,  and  organizational  structure  that  help  ensure  that  one 
individual  cannot  independently  control  all  key  aspects  of  a  process  or 
computer-related  operation  and  thereby  conduct  unauthorized  actions  or 
gain  unauthorized  access  to  assets  or  records  without  detection.  For 
example,  one  computer  programmer  should  not  be  allowed  to 
independently  write,  test,  and  approve  program  changes.  We  commonly 
find  that  computer  programmers  and  operators  are  authorized  to  perform 
a  wide  variety  of  duties,  thus  providing  them  the  ability  to  independently 
modify,  circumvent,  and  disable  system  security  features.  Similarly,  we 
have  also  identified  problems  related  to  transaction  processing,  where  all 
users  of  a  financial  management  system  can  independently  perform  all  of 
the  steps  needed  to  initiate  and  complete  a  payment. 

•  System  Software  Controis.  System  software  controls  limit  and  monitor 
access  to  the  powerful  programs  and  sensitive  files  associated  with  the 
computer  systems  operation,  e.g.,  operating  systems,  system  utilities, 
security  software,  and  database  management  systems.  If  controls  in  this 
area  are  inadequate,  unauthorized  individuals  might  use  system  software 
to  circumvent  security  controls  to  read,  modify,  or  delete  critical  or 
sensitive  information  and  programs.  Such  weaknesses  seriously  diminish 
the  reliability  of  information  produced  by  all  of  the  applications  supported 
by  the  computer  system  and  increase  the  risk  of  fraud,  sabotage,  and 
inappropriate  disclosures.  Our  reviews  frequently  identify  systems  with 
insufficiently  restricted  access  which  makes  it  possible  for  knowledgeable 
individuals  to  disable  or  circumvent  controls  in  a  wide  variety  of  ways. 

•  Service  Continuity  Controis.  Service  continuity  controls  ensure  that 
critical  operations  can  continue  when  unexpected  events  occur,  such  as  a 
temporary  power  failure,  accidental  loss  of  files,  even  a  major  disaster 
such  as  a  fire.  For  this  reason,  an  agency  should  have  (1)  procedures  in 
place  to  protect  information  resources  and  minimize  the  risk  of  unplanned 
interruptions  and  (2)  a  plan  to  recover  critical  operations  should 
interruptions  occur.  At  many  of  the  agencies  we  have  reviewed,  we  have 
found  that  plans  and  procedures  are  incomplete  because  operations  and 
supporting  resources  had  not  been  fully  analyzed  to  determine  which  were 
most  critical  and  would  need  to  be  restored  first.  In  addition,  disaster 
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recovery  plans  are  often  not  fully  tested  to  Identify  their  weaknesses.  As  a 
result,  many  agencies  have  Inadequate  assurance  that  they  can  recover 
operational  capability  In  a  timely,  orderly  manner  after  a  disruptive  attack. 

Unfortunately,  In  addressing  these  problems,  agencies  often  react  to 
Individual  audit  findings  as  they  are  reported,  rather  than  addressing  the 
systemic  causes  of  control  weaknesses—  namely,  poor  agency  security 
planning  and  management.  S.  1993  recognizes  that  this  approach  Is 
unworkable  In  today's  environment. 


S.  1993  Proposals  Can 
Lead  to  Improved 
Information  Security 
Management 


S.  1993  starts  with  the  basic  premise  that  computer  security  can  only  work 
within  agencies  If  a  strong  management  framework  Is  In  place.  The  bill.  In 
fact.  Incorporates  the  basic  tenets  of  good  security  management  found  In 
our  report  on  security  practices  of  leading  organizations  prepared  at  your 
request  In  1998.'^  The  bill  proposes  Improvements  In  three  significant  areas: 

following  a  risk-based  approach  to  Information  security. 


•  performing  Independent  annual  audits  of  security  controls,  and 

•  approaching  security  from  a  governmentwide  perspective  taking  Into 
account  the  varying  Information  security  needs  of  both  national  security 
and  civilian  agency  operations. 

If  effectively  Implemented,  these  proposals  should  help  federal  agencies 
Improve  their  Information  security  practices  and  considerably  strengthen 
executive  branch  and  congressional  oversight. 

The  first  Improvement  area  would  require  a  risk  management  approach  to 
be  Implemented  jointly  by  agency  program  managers  and  technical 
specialists.  Instituting  such  an  approach  Is  Important  since  agencies  have 
generally  done  a  very  poor  job  of  evaluating  their  Information  security 
risks  and  Implementing  appropriate  controls.  Moreover,  our  studies  of 
public  and  private  best  practices  have  shown  that  effective  security 
program  management  requires  Implementing  a  process  that  provides  for 


•  assessing  Information  security  risks  to  program  operations  and  assets  and 
Identifying  related  needs  for  protection, 

•  selecting  and  Implementing  controls  that  meet  these  needs. 


9 


Information  Security  Management:  Learning  From  Leading  Organizations  (GAO/AIMD-98-68,  May  1998). 
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•  promoting  awareness  of  risks  and  responsibilities,  and 

•  implementing  a  program  for  routinely  testing  and  evaluating  policy  and 
control  effectiveness. 

The  key  to  this  process  is  recognizing  that  information  security  is  not  a 
technical  matter  of  locking  down  systems,  but  rather  a  management 
problem  that  requires  understanding  information  security  risks  to  program 
operations  and  assets  and  ensuring  that  appropriate  steps  are  taken  to 
mitigate  these  risks.  Thus,  it  is  highly  appropriate  that  S.  1993  requires  a 
risk  management  approach  that  incorporates  these  elements. 

The  second  proposed  improvement  area  is  the  requirement  for  an  annual 
independent  audit  of  each  agency  information  security  program. 
Individually,  as  well  as  collectively,  these  audits  can  provide  much  needed 
information  for  improved  oversight  by  the  Office  of  Management  and 
Budget  (0MB)  and  the  Congress.  Our  years  of  auditing  agency  security 
programs  have  shown  that  independent  tests  and  evaluations  are  essential 
to  verifying  the  effectiveness  of  computer-based  controls.  Audits  can  also 
evaluate  agency  implementation  of  management  initiatives,  thus 
promoting  management  accountability.  Moreover,  an  annual  independent 
evaluation  of  agency  information  security  programs  will  help  drive  reform 
because  it  will  spotlight  both  the  obstacles  and  progress  toward  improving 
information  security,  much  like  the  financial  statement  audits  required  by 
the  Chief  Financial  Officers  Act  of  1990. 

Agency  financial  systems  are  already  subjected  to  such  evaluations  as  part 
of  their  annual  financial  statement  audits.  However,  I  would  like  to  note 
that  for  agencies  with  significant  nonfinancial  operations,  such  as  the 
departments  of  Defense  and  J  ustice,  the  requirement  for  annual 
independent  information  security  audits  would  place  a  significant  new 
burden  on  existing  audit  capabilities.  Accordingly,  making  these  audits 
effective  will  require  ensuring  that  agency  inspectors  general  have 
sufficient  resources  to  either  perform  or  contract  for  the  needed  work. 

Third,  S.  1993  takes  a  governmentwide  approach  to  information  security 
by  accommodating  a  wide  range  of  information  security  needs  and 
applying  requirements  to  all  agencies,  including  those  engaged  in  national 
security.  Under  current  law,  distinctions  between  national  security 
systems  and  all  other  government  systems  have  tended  to  frustrate  efforts 
to  establish  governmentwide  standards  and  to  share  information  security 
best  practices.  S.1993  should  help  eliminate  these  distinctions  and  ensure 
the  development  of  common  approaches  across  government  for  the 
protection  of  similar  risks,  regardless  of  the  agencies  involved. 
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This  is  important  because  the  information  security  needs  of  civilian  agency 
operations  and  those  of  national  security  operations  have  converged  in 
recent  years.  In  the  past,  when  sensitive  information  was  more  likely  to  be 
maintained  on  paper  or  in  stand-alone  computers,  the  main  concern  was 
data  confidentiality,  especially  as  it  pertained  to  classified  national 
security  data.  Now,  virtually  all  agencies  rely  on  interconnected  computers 
to  maintain  information  and  carry  out  operations  that  are  essential  to  their 
missions.  While  the  confidentiality  needs  of  these  data  vary,  all  agencies 
must  be  concerned  about  the  integrity  and  the  availability  of  their  systems 
and  data.  It  is  important  for  all  agencies  to  understand  these  various  types 
of  risks  and  take  appropriate  steps  to  manage  them. 


Strengthening 
Security  Control 
Standards  and 
Leadership  Also 
Merits  Attention 


While  S.  1993  would  update  the  current  legislative  framework  for 
computer  security,  two  important  considerations  not  addressed  in  the  bill- 
the  need  for  better-defined  security  control  standards  and  the  need  to 
clarify  and  strengthen  leadership  for  information  security  across 
government-are  critical  to  strengthening  security  practices  and  oversight. 

I  would  like  to  discuss  these  in  more  detail  as  they  complement  the  goals 
of  S.  1993  and  could  significantly  enhance  its  provisions. 

First,  there  is  a  need  for  better-defined  security  control  standards. 
Currently,  agencies  have  wide  discretion  in  deciding  what  computer 
security  controls  to  implement  and  the  level  of  rigor  with  which  they 
enforce  these  controls.  However,  as  mentioned  earlier,  our  audit  work  has 
shown  that  agencies  have  generally  done  a  poor  job  of  evaluating  risks  and 
implementing  effective  controls.  Moreover,  these  audits  have  shown  that 
agencies  need  more  specific  guidance  on  the  controls  that  are  appropriate 
for  the  different  types  of  information  that  must  be  protected.  Current  0MB 
and  National  Institute  of  Standards  and  Technology  (NIST)  guidance  is  not 
detailed  enough  to  ensure  that  agencies  are  making  appropriate  judgments 
in  this  area  and  that  they  are  protecting  the  same  types  of  data 
consistently  throughout  the  federal  community. 

More  specific  guidance  could  be  developed  in  two  parts: 

A  set  of  data  classifications  that  could  be  used  by  all  federal  agencies  to 
categorize  the  criticality  and  sensitivity  of  the  data  they  generate  and 
maintain.  These  classifications  could  range  from  noncritical,  publicly 
available  information  requiring  a  relatively  low  level  of  protection  to 
highly  sensitive  and  critical  information  that  requires  an  extremely  high 
level  of  protection.  Intermediate  classifications  could  cover  a  range  of 
financial  and  other  important  and  sensitive  data  that  require  significant 
protection  but  not  at  the  very  highest  levels.  It  would  be  important  for 
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these  data  classifications  to  be  clearly  defined  and  accompanied  by 
guidelines  regarding  the  types  of  data  that  would  fall  into  each 
classification. 

•  A  set  of  minimum  mandatory  control  requirements  for  each  classification. 
Such  control  requirements  could  cover  issues  such  as  (1)  the  strength  of 
system  user  authentication  techniques  (e.g.,  passwords,  smart  cards,  and 
biometrics)  for  each  classification,  (2)  appropriate  types  of  cryptographic 
tools  for  each  classification,  and  (3)  the  frequency  and  rigor  of  testing 
appropriate  for  each  classification. 

We  believe  that  requiring  the  development  of  these  standards,  particularly 
with  minimum  mandatory  control  requirements,  is  the  most  important 
addition  that  could  be  made  to  your  legislation.  More  precisely  defined 
standards  will  provide  common  measures  that  can  guide  agencies  in 
developing  needed  controls  and  improve  the  consistency  and  value  of 
audits  and  evaluations. 

Second,  there  is  a  need  for  strong,  centralized  leadership  for  information 
security  across  government.  Under  current  law,  responsibility  for 
guidance  and  oversight  of  agency  information  security  is  divided  among  a 
number  of  agencies,  including  0MB,  NIST,  the  General  Services 
Administration  (GSA),  and  the  National  Security  Agency.  Other 
organizations  are  also  becoming  involved  through  the  administration's 
critical  infrastructure  protection  initiative,  including  the  Department  of 
J  ustice  and  the  Critical  Infrastructure  Assurance  Office.  While  some 
coordination  is  occurring,  overall,  this  has  resulted  in  a  proliferation  of 
organizations  with  overlapping  oversight  and  assistance  responsibilities. 
Lacking  is  a  strong  voice  of  leadership  and  a  clear  understanding  of  roles 
and  responsibilities. 

Having  strong,  centralized  leadership  has  been  critical  to  addressing  other 
governmentwide  management  challenges.  For  example,  vigorous  support 
from  officials  at  the  highest  levels  of  government  was  necessary  to  prompt 
attention  and  action  to  resolving  the  Year  2000  problem.  Similarly, 
forceful,  centralized  leadership  was  essential  to  pressing  agencies  to  invest 
in  and  accomplish  basic  management  reforms  mandated  by  the  Chief 
Financial  Officers  Act.  To  achieve  similar  results  in  information  security, 
the  federal  government  must  have  the  support  of  top  leaders  and  more 
clearly  defined  roles  for  those  organizations  that  support  governmentwide 
initiatives.  We  believe  serious  consideration  should  be  given  in  your 
legislation  to  clarify  the  roles  of  organizations  responsible  for 
governmentwide  information  security  efforts,  for  example,  the  roles  of 
0MB,  NIST,  and  GSA  and  to  create  a  national  Chief  Information  Officer  to 
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provide  higher  visibility  and  more  effective  central  leadership  of 
information  security. 


In  conclusion,  we  support  S.  1993.  It  provides  ingredients  essential  to 
reforming  agency  information  security  practices  and  governmentwide 
oversight.  In  particular,  it  recognizes  the  highly  networked  nature  of  the 
federal  computing  environment;  it  calls  for  a  more  comprehensive,  risk- 
based  framework  toward  information  security  management;  and  it 
provides  for  annual  independent  audits  of  security  programs.  Basically, 
the  bill  provides  a  better  management  framework  for  addressing 
information  security  issues  and  provides  a  mechanism  for  independently 
checking  how  those  issues  are  being  addressed.  As  we  noted,  this 
objective  could  be  further  strengthened  by  requiring  better-defined 
security  control  standards  and  strengthening  governmentwide  leadership. 

Mr.  Chairman  and  Members  of  the  Committee,  this  concludes  my 
testimony.  We  look  forward  to  working  with  the  Committee  to  advance 
the  issues  discussed  today  as  well  as  to  address  our  technical  comments, 
which  we  have  provided  separately.  I  would  be  happy  to  answer  any 
questions  you  may  have. 


(511184) 
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Ordering  Information  Orders  by  Internet 

For  information  on  how  to  access  GAO  reports  on  the  Internet,  send 
an  e-mail  message  with  "info"  in  the  body  to: 

lnfo@www.gao.gov 

or  visit  GAO'S  World  Wide  Web  home  page  at: 
http://www.gao.gov 


To  Report  Fraud, 
Waste,  and  Abuse  in 
Federal  Programs 


Contact  one: 

Web  site:  http://www.gao.gov/fraudnet/fraudnet.htm 

E-mail:  fraudnet@gao.gov 

1-800-424-5454  (automated  answering  system) 


